secrets: move transmission secret to agenix

2022-03-11 18:14:50 +01:00 · 2022-03-11 18:14:50 +01:00 · 165b30ef9c
parent 540968627c
commit 165b30ef9c
8 changed files with 18 additions and 9 deletions
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@ -142,7 +142,7 @@ in
    transmission = {
      enable = true;
      username = "alarsyo";
-      password = secrets.transmission-password;
+      secretConfigFile = config.age.secrets."transmission/secret".path;
    };
  };
--- a/hosts/poseidon/secrets.nix
+++ b/hosts/poseidon/secrets.nix
@ -17,6 +17,10 @@
            owner = "matrix-synapse";
          };
          "transmission/secret" = {
            owner = "transmission";
          };
          "users/alarsyo-hashed-password" = {};
          "users/root-hashed-password" = {};
        };
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -22,6 +22,8 @@ in
  "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
  "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
  "transmission/secret.age".publicKeys = [ poseidon ];
  "users/root-hashed-password.age".publicKeys = machines;
  "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }
--- a/modules/secrets/transmission/secret.age
+++ b/modules/secrets/transmission/secret.age
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -11,7 +11,6 @@ in {
  config.my.secrets = {
    miniflux-admin-credentials = fileContents ./miniflux-admin-credentials.secret;
    transmission-password = fileContents ./transmission.secret;
    nextcloud-admin-pass = ./nextcloud-admin-pass.secret;
    nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret;
--- a/secrets/transmission.secret
+++ b/secrets/transmission.secret
--- a/services/matrix.nix
+++ b/services/matrix.nix
@ -14,6 +14,7 @@ let
    mkEnableOption
    mkIf
    mkOption
    optionals
  ;
  cfg = config.my.services.matrix;
@ -46,7 +47,7 @@ in {
    services.matrix-synapse = {
      enable = true;
-      extraConfigFiles = lib.optionals (cfg.secretConfigFile != null) [
+      extraConfigFiles = optionals (cfg.secretConfigFile != null) [
        cfg.secretConfigFile
      ];
--- a/services/transmission.nix
+++ b/services/transmission.nix
@ -4,6 +4,7 @@ let
    mkEnableOption
    mkIf
    mkOption
    optionalAttrs
  ;
  cfg = config.my.services.transmission;
@ -27,10 +28,11 @@ in
      description = "Name of the transmission RPC user";
    };
-    password = mkOption {
+    secretConfigFile = mkOption {
-      type = types.str;
+      type = types.nullOr types.path;
-      example = "password";
+      default = null;
-      description = "Password of the transmission RPC user";
+      example = "/var/run/secrets/transmission-secrets";
      description = "Path to secrets file to append to configuration";
    };
  };
@ -50,7 +52,6 @@ in
        rpc-authentication-required = true;
        rpc-username = cfg.username;
        rpc-password = cfg.password;
        rpc-whitelist-enabled = true;
        rpc-whitelist = "127.0.0.1";
@ -58,7 +59,9 @@ in
      # automatically allow transmission.settings.peer-port
      openFirewall = true;
-    };
+    } // (optionalAttrs (cfg.secretConfigFile != null) {
      credentialsFile = cfg.secretConfigFile;
    });
    services.nginx.virtualHosts."${webuiDomain}" = {
      forceSSL = true;